Single Sign-On Overview
Identity allows connecting customers' users directories as an identity provider (IDP) and can be referred to as the "Identity Federation." When the federation is configured, the Identity delegates authentication and authorization of the end-users to the federated IDP; hence, our customers gain control over what employees can have access to the Ansarada Platform.ย
The following diagram demonstrates the simplified authorization flow (login) when identity federation is used (authorization protocol-specific details are omitted for brevity):
โ
The following diagram demonstrates the simplified Ansarada platform invitation flow when identity federation is used (authorization protocol-specific details are omitted for brevity):
โ
Single Sign-On Setup
Step 1
Please send us the following information which will help us to set up your SSO configurations on Ansarada platform. Please include all fields:
Email Domains & SSO URL
Parameter | Value | Description |
Email domains | a list email domains | The email domain(s) of users that should authenticated by configured Identity Provider |
SSO URL | URL | The URL at the Identity Provider to which SAML authentication requests should be sent. This is often called a Single Sign-on (SSO) URL |
Logout URL | URL | The URL at the Identity Provider to which SAML logout requests should be sent. This is often called a logout URL, a global logout URL or single logout URL |
Signing certificate | .pem or .cer format | The Identity Provider will digitally sign authentication assertions and the signing certificate is needed by the Service Provider to validate the signature of the signed assertions. |
SAML token mapping information
Parameter | Is Required | SAML Value | Description |
Name ID | yes | Identifier of a user in Identity Provider. At the moment, Ansarada requires email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) as NameID format | |
yes | User's email address | ||
FirstName | yes | User's first name | |
LastName | yes | User's last name | |
FullName | optional | User's full name |
Step 2
Once your SSO account will be set up on Ansarada side (following the information that you will send us in the previous step), we will provide information about what the Ansarada platform expects to receive as a result of successful authorization (Assertion Consumer Service URL and EntityID).
Parameter | Value | Description |
Assertion Consumer Service URL / Application Callback URL | https://auth.au.ansarada.com/login/callback?connection=<sso-connection-id> | The URL where the Identity Provider needs to send the SAML assertions after it has authenticated a user. Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity |
EntityID (Audience) | urn:auth0:ansarada:<sso-connection-id> | The value dentifies the audience (service providers) to whom SAML assertion is issued for. Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity |
Single Logout Service URL | The Single Logout Service URL, where SAML logout requests and/or responses from the Identity Provider must be sent. When configuring the Identity Provider, make sure that SAML Logout Requests sent to the Service Provider are signed. |
Step 3
Once Steps 1 to 2 are done, we can schedule a testing session to make sure SSO was configured properly and go live. We suggest you set up a test email domain for testing purposes. For example, @test.awesomecorp.com
For any help throughout the process, please reach out to Ansarada support.